Ninja Tables Vulnerability – Missing Authorization – CVE-2024-23504 | WordPress Plugin Vulnerability Report
Plugin Name: Ninja Tables
Key Information:
- Software Type: Plugin
- Software Slug: ninja-tables
- Software Status: Active
- Software Author: techjewel
- Software Downloads: 1,636,926
- Active Installs: 80,000
- Last Updated: January 19, 2024
- Patched Versions: 5.0.6
- Affected Versions: <= 5.0.5
Vulnerability Details:
- Name: Ninja Tables <= 5.0.5 - Missing Authorization
- Title: Missing Authorization
- Type: Missing Authorization
- CVE: CVE-2024-23504
- CVSS Score: 5.3 (Medium)
- Publicly Published: January 19, 2024
- Researcher: emad
- Description: The Ninja Tables plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the defaultExport() and dragAndDropExport() functions in versions up to, and including, 5.0.5. This makes it possible for unauthenticated attackers to export table data.
Summary:
The Ninja Tables for WordPress plugin has a vulnerability in versions up to and including 5.0.5 that allows unauthorized access and data export. This vulnerability has been patched in version 5.0.6.
Detailed Overview:
The vulnerability arises due to missing access control checks in the defaultExport() and dragAndDropExport() functions of the Ninja Tables plugin. This oversight makes it possible for any unauthenticated user to export sensitive table data from vulnerable installations. The issue was responsibly disclosed and patched on January 19th, 2024 in version 5.0.6. Sites running Ninja Tables versions 5.0.5 and below are exposed to data theft until updated. Users are advised to update immediately to close this access control gap.
Advice for Users:
- Immediate Action: Update to version 5.0.6 as soon as possible.
- Check for Signs of Compromise: Review Ninja Tables activity logs for unauthorized data exports.
- Alternate Plugins: Consider TablePress or WP Data Tables for alternate table plugins.
- Stay Updated: Enable automatic updates on all plugins to receive vulnerability patches rapidly.
Conclusion:
The quick response from Ninja Tables to patch this serious flaw indicates their security commitment. However sites relying on legacy versions remain in jeopardy. Updating to the latest release is highly advised to close this unauthorized data access vector.
References:
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/ninja-tables
Detailed Report:
Keeping your website secure should be a top priority – outdated software and plugins open doors for attackers to access your site. Unfortunately, a popular WordPress plugin called Ninja Tables has a newly disclosed vulnerability that puts over 80,000 websites at risk. In this post, I’ll provide practical advice to help you understand the risks and take action to protect your site.
About Ninja Tables
Ninja Tables is a WordPress plugin with over 1.6 million downloads that allows you to build and manage tables and data sets easily on your site. It’s actively maintained and has 80,000+ active installs currently.
The Vulnerability
Researcher emad recently disclosed a vulnerability dubbed “Missing Authorization” in Ninja Tables version 5.0.5 and below. The vulnerability allows any non-authenticated users – including hackers – to export sensitive data from Ninja Tables on vulnerable sites. This presents a serious security threat and data breach risk.
Risks and Impacts
This vulnerability allows an attacker to steal confidential business data you may store in Ninja Tables like customer information, financials, or operations details. Left unpatched, your website acts as an open door to prized data theft targets.
How to Fix
The good news is Ninja Tables released version 5.0.6 on January 19th, 2024 to patch this vulnerability. Updating is as easy as clicking “Update” next to Ninja Tables in your plugin dashboard. This closes the security hole, preventing future unauthorized access and exports.
Past Vulnerabilities
Ninja Tables has had 3 other vulnerabilities reported since October 2021. While the development team has responsibly patched previous flaws, updating diligently helps avoid exposing your site during these gaps.
Staying Secure
As a small business owner without ample security resources, the most effective way to avoid threats like this Ninja Tables vulnerability is to enable automatic WordPress updates. This automatically applies security patches in the background without any effort on your end.
Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.
Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.